New Windows Worm Inching Around Internet

helixcode123 writes "The Register is reporting a Windows Worm that takes advantage of weak default passwords. This looks pretty nasty, as it mucks with the registry and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.

This is a problem?

[Quasar1999]

I think its great... think about it... you have a crappy password, this worm hits you and it disables file sharing? What could be better? No damage, it forces the admin/user to notice the problem, and possibly set up a proper password, or better still a firewall... This causes minimal damage, minimal downtime, and it helps prevent others from exploiting the same weakness this worm exploits..

Anyone want to tell me why this is a problem? It forces the person to act, unlike a security posting about good passwords in an employee handbook.

The Most Open Security Hole....

[scottm52]

Is the one left open by an Admin who has no business being an Admin....

But (more seriously), doesn't is just scare the hooey out of you that brute force password cracking is now running around as an autonamous virus on the Net???

Yeesh, I get the willies thinking of every user that I've told "you can't use password as the password".

Re:Thank you

[geekoid]

The fact that you where yelled at by something you didn't do has nothing at all with the fact that MS should force you to select a password for SMB.
Now if people select password of password, thats a different issue.
This goes for any operating systems.

ummm....

[oliverthered]

New UNIX password: oliver
BAD PASSWORD: it is based on your username

New UNIX password: jp821968i
BAD PASSWORD: it looks like a National Insurance number.

New UNIX password: rg78kn
BAD PASSWORD: is too simple

Yeh, nothing to do with the password system.

Ok, so that's how my linux box is setup (without post install configuration), why isn't windows setup this way?

It's about time...

[evronm]

It's about time someone wrote a worm like this.

If it does enough damage, maybe people will learn, through aversive conditioning, not to use stupid passwords.

I once worked as an SA at a bank. I could guess 90% of peoples passwords in 3 tries. I'd say about 30% were the default "welcome". And the users would bitch (and occasionally get someone fired) if we told them to change them.

If it is clearly communicated that this thing is spread because of weak passwords, maybe people will wake up and start using real passwords.

Or is it just wishful thinking?

Symantec's hint

[very]

On Sunday, March 09th 2003, Symantec posted AntiVirus updates on their site as well as the LiveUpdate.

LiveUpdate:
Virus Definitions released March 9
Norton AntiVirus Corp. Edition Defs Version: 50309h
Norton AntiVirus Corp. Edition Sequence Number: 21592
Total Viruses Detected: 63225

This is peculiar since Symantec does not post any regular updates to their AntiVirus software on the weekends.

They know something, definitely.

Re:What were those commons passwords in Hackers?

[tjhanley]

how about JamesTKirk, JLPicard, JanewaySmokesPole, ShuttlePod1 (for the alpha numeric pwd)

Re:Microsoft's fault?

[AvitarX]

what about c$? or admin$?

not all shares are manually set.

if the admnistrator password is weak then the system can be comprimised this way with no shares being set (unless things have changed since NT4.0 that I don't know about.

Re:Microsoft's fault?

[fshalor]

Um, actually there are a lot of "default" shares laying around ripe for the picking. In win98, I believe it's only the system root and all the drives. I think the same are enabled in win2k. You can disable them, but they come back upon reboot. In win2k, by default, you the service which must run isn't enabled, but under win98, it's trivial to hack around and get any of the default shares. These are ones which you don't see, by the way.

Re:ummm....

[seanadams.com]

Yeah, but it'll take passwords like 123!@#qwe!@#
Hint: look at your keyboard.

Re:This is a problem?

[mumkin]

Anyone want to tell me why this is a problem?

Because it also installs a VNC server on the box and connects to a pre-defined list of 13 IRC servers, opening a big wide backdoor into the system.

I suppose you could argue that we don't know what their intentions are -- maybe they're gonna just connect to the box and fix things for the idiot admins, all nice like.

Re:Doh!

[nolife]

I remember playing around back in the day connecting to c drives and recursively deleting *.ini or modifying the Eudora ini file to make all outgoing mail appear to be from real name "I'm a Loser". You could always test the printer by placing a bat file in the startup directory to send some.dat > lpt1. Just enough to mess things up but not draw attention to yourself.

To this day you can still connect to a Win98 share with smbclient and specify the users computer name as your computer name also (the -n switch) and win98 will not show when you are actually connected, it will complain about someone being connected if you attempt to shutdown but will not specify who is connected.
(I tried this trick with W2K and it was not fooled by the remote connection, unsure of other Win versions.) Of course connection logging on the Windows end is pretty much non existant so good luck trying to track someone down anyway.

Re:ummm....

[suwain_2]

Not that I exactly advocate weak passwords, but you really can't compare the 'home user' Windows model with the 'Internet server' Linux model. I think a lot of people (primarily the less computer-literate) would be completely bewildered when it rejected the password they wanted to use. Personally, I use a password that's a 'l33t'-ified word (with absolutely no signifance to me... it was a random word I saw as I glanced down at my desk while trying to think of a new password), which some Linux boxes seem to reject. On the systems set up to be this picky, I su to root and change my password, allowing me to bypass the password integrity test. Not the most secure thing in the world, I suppose, but if 'hardcore Linux geeks' get flustered when their password is rejected (and find ways to *make* the system take it), imagine how relatively 'clueless' home users would feel?

Anyway, maybe it could have a very elementary test: things like "password" and its variants would be rejected, as would common derivations of the username. What might be a better idea was if when the user was asked to create / change a password, it had a section on choosing a *good* password. (And if your password was a 'common' bad one, it could explain why it's bad.)

yes, it's a problem

[Erris]

This causes minimal damage, minimal downtime, and it helps prevent others from exploiting the same weakness this worm exploits..

Right, minimal damage, just a rebuild unless you want to trust a cracker's claim of minimal damage. Time, money all wasted. Ever tried to back up a windoze box? It's not like the useful files are all located in the user's home directory. Stuff gets lost, even with the best "migration" tools. I don't even want to think of the BSA accounting problem this will create at larger firms.

By the way, who let M$ off for this? They got server daemons running as ROOT, that can write anywhere? Oh yeah! And they have things so tied up that it's a pain in the ass to run anything but M$ crap? No resoponsibility for the monoculture of weak software on M$'s part is there? Burn, baby, burn, show'em what you are worth!

Choose your weapons...Uh, I pick Blame!

[ackthpt]

"Please tell me why isn't it Microsoft's fault? "

Please tell me how it's MS's fault that people pick easy to guess passwords?

Some systems I haved used in the past have a built in list and/or password analyzer, for the purpose of forbidding use of easily predictable passwords. While users tend to hate what these methods limit them to, break-ins tend to be limited to those people they know.

You can't fault Microsoft for not including such a feature. Chances are, if Microsoft did build in such a feature, someone would be taking issue with it on slashdot.

A modest proposal:

Suggest Microsoft include the ability for the administrator to select a tool (yeah, I know they typically want you to use only Microsoft Brand stuff, hence the aforementioned 'issue') Does Microsoft accept advice from users, or do they only innovate buy buying up a company that already makes such a product, integrating it, then driving all competitors out of the market? (oops, I did it myself...)

Re:Microsoft's fault?

[Guppy06]

"Please tell me how it's MS's fault that people pick easy to guess passwords?"

Please tell me how it's not Microsoft's fault for making both partitions and the system directory shares by default. How the hell else would the worm get access to the StartUp folder? The people most vulnerable don't even know where that particular directory is, let alone how to share it.

Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).

Please tell me how it's not Microsoft's fault that XP doesn't even bother asking for a password for a new (admin!) user account unless the account is made the old-fashioned Win2k way.

The "shiney new" way XP handles user accounts by default is almost as bad as 95/98/Me. By default, all system users are listed at the log-in screen for you to pick. One of them has a password? Move on down to the next in the list. Odds are at least one of them doesn't have a password and yet has admin privileges.

True, no self-respecting XP user would have anything to do with the accounts script in the Control Panel, but the better method of dealing with user accounts is both counter-intuitive ("Performance and Maintenance?" But "User Accounts" is right there!) and practically hidden (Performance & Maintenance -> Administrative Tools -> Computer Management (Local) -> Local Users and Groups), at least as far as former 95/98/Me users are concerned.

No, this is a design flaw in XP, part of Microsoft's attempts to dumb down the NT kernel for the home user. Perhaps MSFT wouldn't have to spend so much money on patching these security holes if they instead spent a little capital on trying to educate users a little about (extremely) basic user accounts security. This current "security hole" has been around since NT 3.1 and hasn't been that much of a problem until Microsoft decided to give everybody admin rights by default.

Surprising

[chewedtoothpick]

Surprising that the most popular 'simple' password I have come across: drowssap wasn't on the list... either it must not be very composite, or the programmers of the worm are fairly out-of-touch.

Re:This is a problem?

[deranged unix nut]

I can beat that:

I ran into a vendor who by default installed SCO Xenix systems with a blank root password (so they could easily call in and provide support for the accounting application that they sold) and didn't inform the customer.

Better yet, the accounting app ran as root, so even guests had root access.

Better yet, the "locked down guest account" showed menu items 1-4 but prompted for 1-22. Item 22 was selectable, and was the utility menu including a shell prompt.

Better yet, the accounting system had a data file "passwords.txt" containing CSV usernames and passwords for every user account in the accounting system.

Doh! Doh! Doh! Doh! Doh! Doh! Doh! Doh!

This was five years ago, but still... EVERY one of their customers (except for the system I set a password on) is probably still vulnerable to the first person in the area with a war dialer.

Almost as bad: A community college that I attended required their secretarial staff to use on of the 40 pre-approved passwords provided on a list that was sent around the office.

Why do people hire these admins?

[Dunkalis]

It boggles the mind how the admins who choose passwords like "password" or "1234" can keep a job. These people are supposed to secure systems and make sure they work in harmony. These usually go hand in hand, too. If you have insecure systems and they are breached, obviously things won't be all harmonious and blissful. If you have problems with the network, security won't matter since problems can usually lead to backdoors. If a system is compromised by this worm, I hope the companies that hired the admins give their security and networking department hell. They deserve it. No system should be cracked by a worm that searches for the sort of passwords you'd expect an idiot (or President Scroob) to have on their luggage.

How MS can "force" a person to choose a good pw?

[mark-t]

I concur with the view that services that leave a system open should not be installed by the OS until it has a moderately secure password set up for access. It is even entirely feasable to do this with Windows:

What it should do when it is about to install a service that could, theoretically, compromise the system is this (assuming the admin password has not yet been set):

"Warning, there are users for this system that have administrative priviledges but have no password set. Before this service can be installed, please enter a password to use for administration purposes. This step exists to protect your computer from being accessed by unauthorized persons. A password should be at least 8 characters long, ideally should contain numbers as well as letters, and should not be a normal english word."

The dialog presented here will have a [Cancel] button, which would cause the password setting subsystem to fail, and therefore the service would not be installed (with suitable diagnostic given such as "The service was not installed because no security password was set").

Then, after entering the password, the password subsystem can do a rudimentary analysis of the password, checking it's length, whether or not it contains letters/numbers, etc. If it fails to measure up to what is determined to be a weak password, it pops up another dialog:

"Warning, the password you have selected is considered weak because (insert detailed explanation here). Are you sure you want to use this password? [Yes] [No]" (The default option being "No"). If they click No, then they go back to the password selection.

After the user has selected a password:

"Please memorize or write this password down and keep it in a safe place. It is highly recommended that you do not leave the password anywhere that it could be easily discovered by an unauthorized person. This password is now set for the following users: [list of users on the system with admin priviledges and no prior password set]. The user(s) can change their password at any time after logging in from the Control Panel 'Users and Passwords' tool. [OK]"

The final thing would be for the OS to perform the same checks on a password when anyone wants to use the control panel tool to change it. Now the premise here is that the OS won't *FORCE* you to pick a good password, but if it made a user jump through hoops like this, you can bet your ass that there'd be WAAAAAAAY less problems with people who used MS products.

Of course, then what would the Linux and BSD zealots have left to bitch about?

This IS microsoft's fault

[chunkwhite86]

Try changing your Linux user password from the command line (hint: type passwd)

Pick something easy, like a dictionary word, or something really short.

You'll see:
[nimmerge@costanza nimmerge]$ passwd
Changing password for user george.
Changing password for george
(current) UNIX password:
New password:
BAD PASSWORD: it is too short
New password:
BAD PASSWORD: it is based on a dictionary word
New password:


Now give me a valid reason why Microsoft can't require strong passwords by default?

Solution: Don't use weak passwords.

[ChaosDiscord]

Personally, I use a password that's a 'l33t'-ified word (with absolutely no signifance to me... it was a random word I saw as I glanced down at my desk while trying to think of a new password), which some Linux boxes seem to reject.

Good for those Linux boxes! You're using a weak password.

First, the word you selected happened to be on your desk. Most likely it's a not-uncommon term in either English, your native language (if not English), or a technical term. Any good password cracker dictionary will include all three.

Second, any good password cracker is going to try variations on the words in its dictionary. Minor misspellings, appending numbers, or translation into l33t-speak. Trying every possible minor misspelling and l33t-speak variant is relatively cheap compared to searching the entire key space. Expect them to do it!

Any test the passwd filter is doing is likely based on an attack already in use by a password cracker. It would be nice if the program gave you a reason the password was rejected (I've had apparently random password rejected), but ultimately it doesn't matter. If the passwd filter doesn't like it, a cracking program probably will like it.

I'm curious.

[La Temperanza]

A little OT, but do any *NIXes have Kerberos as your default auth service after a fresh install?

Weak XP

[Brat Food]

Theres something that IS microsofts fault that will let this worm wreak havok. When you install WinXP Home, and i believe Pro, it does NOT set a password for the Administrator account, or it can be bypassed eiasly (ive seen too many boxes w/o one to think its just a random thing).

Thats right. Usually all it takes to break in to a winXP box is to hit ctrl+alt+del x 2 and your back to the normal winNT login. Then type in Administrator, no password, and unless this person knows anything about windows, and often thats not enough, your in.

Add to that that all accounts made are Administrator by default, and DONT need passwords.

What REALLY hurts windows here is not being truely multiuser on a local machine. This can be felt when you try to lock down say a web kiosk, and as you edit the Local security policy, you can watch the system lock down around you, since you CANT change it on a per user basis.

Add to this things like the viral Xupiter, and windows is chock full of holes. And leaving a winXP box in non-admin node is almost worthless, because SO many programs require admin access rendering it a pain in the ass.

While in the article, the poster mentioned its not microsofts fault, it BLATENTLY is. Windows comes SO dumbed down, i have to spend hours locking it down, turning off all the annoying services and popups, etc. Not only that, it doesnt have a default to make sure you password is at least somewhat secure. The options DO exist. From a sys admin perspective, windows is a waste of time. They NEED to have a deafult "im not a dumb user" setting you choose at startup that will among other things, make sure your system is tight and passworded.

They also need to go truly multiuser, clean up permissions w/o making them useless, and make EACH local user have a SEPERATE security policy, with an emphasis on editing it when you first install.

To put thins in perspective, in a public user setting, you leave an XP box out for use for a week, and an OSX box, i guarentee you, even the most basic setup, the OSX box will be exactly how you installed it, with a bunch of crap on the desktop.

The windows box will have every spyware app on it, stuff deleted, etc, etc.

OH, Xupiter just installed itself again, i have to go...

Re:who's on first?

[JWSmythe]

Our users hate it when *I* assign their passwords. They're given exactly one chance to pick a strong password (when they sign up). If someone guesses their password and it gets out to a password site or whatever, my script assigns their new password.

chars.txt is a plain text file of any characters I'd like for them to use. This gives 54^8 (72,301,961,339,136) combinations. I leave out common typing mistakes like
Zero = uppercase o
One = lowercase L
One = uppercase i

I think 72 trillion combinations is slightly safer than top 100 common passwords, or words that show up in the short version of the common dictionary files. :)

I use this for our own internal passwords too, but at least I let people keep running it til they see something that pleases them. "Oh ya, that's one I'll remember." Just feel sorry for people just starting on our staff on password-change day.. :)

-----
#!/usr/bin/perl

# Define our character sets here, leaving out difficult (similiar) characters

open (LIST, "/usr/users/security/chars.list");
@chars = <LIST>;
close (LIST);
$password = join("", @chars[ map { rand @chars } (1 .. 8 ) ] );
$password =~ y/0-9A-Za-z//cd;
print "$password";
-----

Of course, for less secure applications, I've just used "no".. So, when someone asks "What's your password?", I just answer "no". They get pissed off, I take the keyboard, tap no[enter] real quick, and they wonder what I really typed. :)

BTW, for you copyright happy people out there, that join line was stolen from one of the O'Reilly books.. So, sue me.

Try a recent distro?

[freeweed]

I don't know about you, but an out-of-the-box RedHat 8 is pretty damn secure, assuming you don't install any services with it. Select 'high security' in the installer, and boom! Instant firewall.

Comes with more software than I've currently got loaded on my Windows machine, period. Office suite(s), games, usenet, web, mail, irc, packet sniffer, firewall, cd-burning,... I could go on, but at 4.6 gigs it's kinda scary :) Took me about 10 minutes worth of clicking on little boxes, nothing beyond the automatic partitioning that even remotely resembled thought. Bless rpms.

Anyway, your point again was?

Re:Weak XP

[gamorck]

Really? I guess you weren't aware of the fact that XP will by default not allow the machine to be accessed through netbios remotely using an account which sports a blank password.

But then again your entire argument is constructed on pure and utter ignorance of the basic facts so I guess I shouldn't have expected anything otherwise... though a retraction on your part would be nice.

J

P.S. If a sys admin can't lock down his box without being provided a "I'm not a dumb user" checkbox - doesn't it seem like the problem may not in fact have anything to do with Microsoft at all?

Re:Not default passwords...

[larien]

Get one for your mom

When I helped my mother get on the internet (she uses it mainly for registering cattle movements on the web), I took a CD with Zone Alarm on it with me and installed that with the settings locked down. My home connection (linux box on ADSL) is slightly more open, with ports 22, 80 & 443 open. Only two users have access to port 22, though (unless ssh breaks again...). Everything else at home is NAT'd through the linux box.

Re:who's on first?

[Anonymous Coward]

I once told a a room full of college students that the password for one of my accounts (not one that was very important) was secret and it was in German. Not one of them had the brains to look up the German word for secret and try it. Talk about hiding something in plain sight.

Great site for good passwords

[TequilaMonster]

I use the diceware system [diceware.com]. I generally end up with 25+ character passwords, and when mixed up cases, swap letter for number and word separator special chars are used, it gives very high strength passwords.

Then just use memory path tricks to store them in the old' grey matter, nuff said. I use the same rules every time for character substitution, so I don't have to remember the coded password, just the diceware phrase. Apply the coding, and there's the password.

My system

[Zugok]

I can't say I keep a high security for my computer as I should (and I really should...to much pr0n to lose), but for internet banking, really important stuff online, I have a pretty foolproof system.

What I do is I take the name of someone I know for every month of the year. I associate a date with them, like birthday, day i met them etc. Sounds stupid so far, but here's what I do next

I then associate the date with the current year and decide how to mess about with the numbers. Do i just take the date at face value, or do I use date seperatrs / . and - in some sort of combination and use them as mathematical operators to generate a number? What ever I decide to do I convert the number into hex (because some passwords require numbers) and then attach it to the name of the person concerned in what ever way I choose and voila, password generated. Keeo in mind that if you use the same combination of operators when the year changes, you password is not going to change a hell of a lot for corresponding months between the years

The beauty is I've told you my system and you can't figure out any of my passwords. Better yet, you don't actually need to remember your passwords, more likely you just need to remember the mathematical operators because names and birthdays should come off the otop of your head. I can't remember my slashdot password though, I chose that before my system. Thank goodness for cookies.